Slashdot Mirror
Michael Robertson Says Root is Safe
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
I work as a consultant for several fortune 500 companies, and I think
I can shed a little light on the climate of the open source community
at the moment. I believe that part of the reason that open source
based startups are failing left and right is not an issue of marketing
as it's commonly believed but more of an issue of the underlying
technology.
I know that that's a strong statement to make, but I have evidence to
back it up! At one of the major corps(5000+ employees) that I consult
for, we wanted to integrate the shareware version of Linux into our
server pool. The allure of not having to pay any restrictive licensing
fees was too great to ignore. I reccomended the installation of
several boxes running the new 2.4.9 kernel, and my hopes were high
that it would perform up to snuff with the Windows 2k boxes which
were(and still are!) doing an AMAZING job at their respective tasks of
serving HTTP requests, DNS, and fileserving.
I consider myself to be very technically inclined having programmed in
VB for the last 8 years doing kernel level programming. I don't
believe in C programming because contrary to popular belief, VB can go
just as low level as C and the newest VB compiler generates code
that's every bit as fast. I took it upon myself to configure the
system from scratch and even used an optimised version of gcc 3.1 to
increase the execution speed of the binaries. I integrated the 3
machines I had configured into the server pool, and I'd have to say
the results were less than impressive... We all know that linux isn't
even close to being ready for the desktop, but I had heard that it was
supposed to perform decently as a "server" based operating system. The
3 machines all went into swap immediately, and it was obvious that
they weren't going to be able to handle the load in this "enterprise"
environment. After running for less than 24 hours, 2 of them had
experienced kernel panics caused by Bind and Apache crashing! Granted,
Apache is a volunteer based project written by weekend hackers in
their spare time while Microsft's IIS has an actual professional full
fledged development team devoted to it. Not to mention the fact that
the Linux kernel itself lacks any support for any type of journaled
filesystem, memory protection, SMP support, etc, but I thought that
since Linux is based on such "old" technology that it would run with
some level of stability. After several days of this type of behaviour,
we decided to reinstall windows 2k on the boxes to make sure it wasn't
a hardware problem that was causing things to go wrong. The machines
instantly shaped up and were seamlessly reintegrated into the server
pool with just one Win2K machine doing more work than all 3 of the
Linux boxes.
Needless to say, I won't be reccomending Linux/FSF to anymore of my
clients. I'm dissappointed that they won't be able to leverege the
free cost of Linux to their advantage, but in this case I suppose the
old adage stands true that, "you get what you pay for." I would have
also liked to have access to the source code of the applications that
we're running on our mission critical systems; however, from the looks
of it, the Microsoft "shared source" program seems to offer all of the
same freedoms as the GPL.
As things stand now, I can understand using Linux in academia to
compile simple "Hello World" style programs and learn C programming,
but I'm afraid that for anything more than a hobby OS, Windows
98/NT/2K are your only choices.
In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.
He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
http://nerdfortress.com/
... however, your comment about FireFox not adopting ActiveX, I would put to you, is actually not a good thing. Many, many Microsoft software developers are exploiting this, and without ActiveX compatibility they aren't going to migrate to FireFox very quickly (if at all).
On a side note: this is sort of like Word and Excel macros and OpenOffice.org. Without them, Oo.org is missing quite a few companies.
XML is like violence. If it doesn't solve the problem, use more.
1) It protects you from yourself. Nobody's perfect all the time.
2) It limits damage from exploits. Go ahead and be root if you aren't networked and never insert media, or are running a perfectly-secure OS.
3) it protects you from another user's malice. N/A for single-user machines.
Examples of when it is OK to run as root:
1) many non-networked embedded systems, e.g. your microwave oven
2) the DOS box in the corner your kids play DOOM I on.
3) Demo machines at trade shows, but only if they are not networked and have no removable media.
Other examples where running as root isn't advisable but the damage is greatly mitigated include read-only systems like Knoppix.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.
He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.
It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image of him?
Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*
Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...
=tkk
Bill Gates - Creationist?!?
Actually, slightly off topic, but you have just highlighted/reminded me what I believe to be one of the problems with permissions on *nix generally.
What we lack is that fine tuning - I should be able to specify that a particular UID can listen on ifname:80, not kick off a process as root, then setuid it...
A heirarchical permissions set on the process tree could also be very handy... (think ACLs for the proc tree), although this could get pretty damned difficult to drive very fast if implemented badly.
I think this is the fault of the command not asking for confirmation. I mean Format C: will at least ask you if you are sure. It's not like you have to clear the root directory that often that this would be a pain.
Philosophy.
almost Word for word, this guy has been posting this same text around different sites for 2 years. It has sort of reached goatse status (ie effing annoying). Just ignore it
- MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user
Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.- Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
Same comment. Grandma isn't running a server, or using phpMyAdmin.- Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
Well, the point he's making in the article is that on a personal desktop machine, it's the data in your own user account that's valuable. The exploitable program running as user gramma can still delete all of Gramma's files, without escalating to root.- rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
Well, Gramma's not likely to type that obscure command anyway. But even if she's not root, what if she types rm -Rf ~? From her point of view, on a single-user machine, that's just as bad -- she's back to a fresh install.And remember, when Gramma fires up her Linspire box for the first time, she doesn't have any services turned on, so actually there's not much that anyone from the outside can do without convincing her to execute an e-mail attachment or something (which Linux mail readers typically don't make it easy to do casually). Give her a hardware router between the machine and the wall, and bang, she's got a pretty decent hardware firewall as well (and it's a firewall that she doesn't need to configure or maintain).
And suppose Gramma creates a root account, but the password she chooses is her dog's name, because she figures nobody can guess that? If I was helping her set things up, I'd be more concerned with explaining to her about how to choose a good password than with convincing her to set up a separate root account.
Actually I think MacOS X has done a really nice job on this kind of stuff, and their strategy should probably be emulated, especially by distros aimed at home users. Everything is done using sudo. Any time you want to install a printer driver or whatever, it makes sure you're a user who's got administrator privs, and it makes you type in your password. For example, on my wife's MacOS X box, she and I both have admin privs, but our kids don't. I can't even remember the last time I had to do an su root on her box.
Find free books.
That's why you set the /home directory to non-executable. No program, including rm, will walk into it unless you are root. Note that this doesn't affect the ability of non-root users to access any correctly permissioned sub-directory of /home.
Elevators go up and down. The only thing that straightforward on a computer is the CD drive (and even that sometimes causes my system to freeze :-) )
I'm not suggesting that the usability of computers cannot be improved; far from it. But just as some people are simply very bad drivers, some people will not be able to use some programs because they don't have the training, they aren't willing to practice, or they just don't "get it". Trying to cater to these people by writing programs that a 5-year-old could use probably results in programs that only a 5-year-old would want to use.
In that case, I think running in administrator mode just makes it harder to remove the infection. I think it's trivial to trojan people into running bots that run in user space rather than system space. It's just not necessary to make such a program because it's easier to assume they are running as admin.
What I'd be interested to know is if there's a means to switch between user sessions on a Linux system without logging off. This is something I actually miss from XP.
I suppose that I could rig something that required multiple X sessions that you go between by hitting
the CTRL-ALT-F# keys. However, it'd be nice to have something that simple folk can use.
Your courageous and selfless spelling corrections have made me a better person.
even better, firemen and other individuals with authority can gain "root access" by using a key and thus gain full control of and override ability on the elevator.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
I hope I can remember the details of this correctly. Here goes. Some time ago (maybe 5 years ago) I was running linux on a ppc box. I wanted to play a .au file. The sound device was something like /dev/scd All I needed to do was /dev/scd
/dev/sda
cat soundfile.au >
I typed
cat soundfile.au >
Whoops. Yes, there is a reason not to run as root. I admit the mistake was dumb but if I wasn't root I would have been protected from myself.
The "users should have to learn" mentality is what keeps computers complicated and difficult to use.
Actually, my opinion is and always has been that assuming users are stupid and incapable of learning the most basic idioms is the real problem with computing. I mean, if we can't even expect to teach people what a "directory tree" is and means, how do we expect them to learn to organize information? Sure, google can claim you should "search instead of organize," but the fact remains there are times when searching is useful and times when indexing and organizing are useful. Knowing both is computing 101.
The trick for developers is creating minimal yet powerful knowledge-space for users to occupy and NOT CHANGING IT! (Note: this doesn't mean the back-end doesn't change, just that the controls remain familiar... and every change is designed specifically to make usage easier, and with an eye toward disruption costs.)
I mean really. The basic distribution model:
1) Download application to known location.
2) Execute application at known location.
Hasn't changed since the very first personal computers, so why is it we even need things like ActiveX? (ie: if it's worth running, it's probably worth the trouble to purposely install...)
Note: For moving around alot or organizations, replace "application" with "appliciation suite".
And food for thought: Why can't I just grab the contents of my "programs" directory and move it to a new machine?
There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".
MIT Kerberos takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.
Capability-based systems essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.
Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1, 2). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
An elevator has only six possible states: going up, going down, or stopped, multiplied by doors open or doors closed. While getting into those states may have required skill in old elevators, the complexity was inherently limited.
Your computer has a whole bunch more potential states of configuration and execution. Just assuming ten programs that may or may not be running at a given time, right there you've got 1,024 states. Then there's the state of each of those programs - say each program is not just running or not, but can be in one of five states (which is not unreasonable - not running, loading, reading, writing, and closing). Now you've got 5^10=9,765,625 possible states for your system to be in. Six orders of magnitude more complex than the elevator. Then assume a few variables of configuration - just ten binary values would take us up to ten billion states. (And that's assuming only ten programs - right now ps -ax | wc says I've got over 100 processes running.)
It gets worse if you take a finer-grained view of what a state is - the RAM in your system can assume more states than the number of elementary particles in the Universe.
Of coruse in theory, our operating system partitions that complexity, so you only have to deal with the states of one program at a time. And one way it does that it by separating user privileges.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
I'd like to add the fact elevators didn't always have light-up buttons labelled for each floor. There used to be a lever to make it go up or down. Stopping at a floor was a skill. It was more convenient to have an operator than have people miss the floor by 3 feet and break their ankles climbing out, or maybe cutting each other in half by accidentally bumping the lever when exiting.
Now there is a much simpler and intuitive interface that anyone can use, so a dedicated operator is not needed (though I hear Congress still has elevator operators so those busy politicians don't have to worry about breaking their nails, or something).
If you had a computer with a set of buttons for each of a few trivial operations available to the user, and those are the only operations, it probably doesn't matter if you run as root or not.
Such a system would also suck as a general purpose home computer.
If you're going to do anything beyond trivial actions, and perhaps getting into complex stuff that you don't necessarily understand, its probably best NOT to be running as root.
Think of it as 2 sets of operations:
- the ones that can mess up your stuff
- the ones that can mess up the whole system
Both sets have the ability to wipe out your data, but the latter can wipe out other people's data, critical system files, raw hard drives... pretty much screw your data, and your machine.
Both your user account and root have the ability to mess up your stuff. A regular user account typically cannot mess up other accounts' data or the operating system, without using "su" or "sudo" or some other method to escalate privliges.
MacOSX has root separate from the user account. A user can be an "Administrator", which gives the user sudo capability. GIU operations (software installs, editing user accounts, and other system configuration) do a graphical equivalent to sudo, prompting the user for their admin password. Its not that complicated. Its an extra layer of protection, and lets the user know that they're doing something out of the ordinary. Its not that complicated.
Even my parents understand it.
blog
There is an issue you've not addressed. How about when your data is not the target? (Honestly, most people's data is not worth stealing).
What if an attacker just wishes to compromise your machine and use it to attack other machines, relay spam, etc? This is a huge problem with Windows.
"That's some catch, that Catch 22." "It's the best there is."
What I don't understand is why the *nixes don't implement something like the Mac's trash can.
.trash, and when *any* user does *any* rm command, instead of deleting the files outright, simply move them into the .trash directory.
First, notice that if you run "rm" on Mac OS X, even it won't use the trash can.
The behavior of Linux and Mac is actually quite similar in this instance. On either platform, removing a file with the GUI tool brings it to a trash holder, but the command line deletes immediately.
Create an invisible directory under each and every mount that is called
Simple, practical obstacles: ~/.trash won't work for files which are on other disks, network shares, removable media, etc. It would have to move the file to the same hard drive as your ~ directory first, which will at best take time, and at worst will overfill your own disk.
More fundamental, and historical explanation: Unix was designed as a operating system, a framework for applications. To keep the job managable, they added in things that were necessary for the OS (like files, copying, and deleting), but not things that could be better handled at the application level. ~/trash is GUI sugar: just a minor way to make it more difficult for users to input commands that they likely didn't intend.
So, then the question becomes, why did application-level implementations of a two-stage file deletion become popular? And here, the answer is the old canard "Good is the enemy of great". Because the native "rm" command was adequate for more than 98% of all usages, there was little demand to shift to something more complex, even if it would be occasionally safer.
When finally you are shopping around for disk space, only then do you consider emptying the trash.
Unix is a server-oriented OS, both historically and still today. Servers are expected to go weeks and months without a user sitting at them. Needing a person on-hand to Empty Trash just because the webserver has been creating and deleting a bunch of cache files is a bad thing.
One would not do such a thing in Mac OS X."
Granted, I use finder to delete files 95% of the time, but on occasion I use the rm command to delete.. Not only can I not undo this, rm does not act the same way finder's delte does.. rm does not put files into the trash.
This seems like a design flaw. The Mac is a great platform(my Tiger dvd is in the mail, I am hooked) and the Tiger features that make mv and cp more mac-native are great. Having said that, the GUI operations that have a CLI counterpart (delete in finder vs. the rm command) should operate the the same way and be interchangeable wherever possible.
Actually, Robertson is right.
He said "why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. "
Obviously he is talking about single user computers, as most PCs are. If you have a single user computer, when your user account is penetrated, your root account is penetrated next time you su.
The last step in a Linspire install, which apparently noone in this thread has done, is to set up user accounts for a multi-user system. If it is a single user system, there is NO additional security to setting up a user account.
My data is the most important thing for me. I can reinstall Linux in 15 minutes, but my data is irreplacable.
Peter
Ubuntu does this too. The default installation has the root account disabled for login purposes. What few administration tasks require root access is done through sudo using the user's password for authentication. Login could just as well be automatic.
I fail to see entirely what Linspire needs continuous root-level access for.
When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!
Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.
Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.
“Common sense is not so common.” — Voltaire
Obviously his answer is Market Force driven and non-technical. He ships as root, he doesn't want to sacrifice his products perception. He'll never say anything else.
Would you expect the CEO of Exxon to openly state that there is something called Global Warming and it is necessary for everyone to stop driving gasoline powered cars?
Certainly not until they have the answer. It maybe be the Linspire is working on changing this for real, but it won't be openly discussed.
Michael Robertson's market is rather different from the typical Linux market. He's trying to sell an end user commodity.
The end user does not give a fuckola about permissions, user management, and the meaning of the word "root". Insecure? Yeah, a little.
If a regular user runs a malicious program, they've already risked all of their own data. The system itself is "safe", but many of the reasons people 0wn Windows boxes can be satisfied just by having user privileges. It can be used as a spam conduit. It can be used in a DDoS attack. It can give the keys to someone else so they can try a local exploit to gain root, or it may have a set of local exploits built in to elevate to root right there.
Running any malicious code represents some kind of compromise. The argument for running it as a non-privileged user vs. root user is just one about dampening the impact, but just slightly.
On the other hand, running everything as root makes the end user experience a lot more comfortable. Security is inconvenient.
The stupidity of this position is very easy to explain. He's claiming that the worst thing (losing user data) is the only thing to worry about. Since non-root doesn't prevent that, let's get rid of it.
To use his own analogy, if the worst thing that can happen in a car is to run into a wall, then why have door locks? Whether you have locks on the door or not, you're still going to die. And they make it hard to get into the car, so let's get rid of them.